Archive for the ‘CFAA’ tag

“Hacktivist” criminal conviction reignites debate about CFAA

leave a comment

On November 15, 2013, self-described “hacktivist” Jeremey Hammond was sentenced to ten years in federal prison for obtaining and publishing confidential information from private defense firm Strategic Forecasting (Stratfor). [1] At the urging of the U.S. Department of Justice (DOJ), Judge Preska of the Southern District of New York imposed the maximum sentence under the Computer Fraud and Abuse Act (CFAA). Although not the most sympathetic case, Mr. Hammond’s conviction once again reignited debate about the CFAA. [2]

Broadly speaking, the CFAA is a federal statute that criminalizes a list of activities that may be considered “computer hacking.” [3] The list includes, among others, unauthorized access to government computers to obtain confidential information, accessing a protected computer in order to commit fraud, and extortion by threatening to damage to a protected computer. Perhaps the most controversial provision of the CFAA can be found at 18 U.S.C. §1030(a)(2), which criminalizes “obtain[ing] . . . information from any protected computer” if the user does not have “authorization or exceeds authorized access.” The DOJ has interpreted “exceeds authorized access” to mean any conduct that violates a website’s terms of service. [4] Under such a broad reading, the CFAA not only covers activities commonly perceived as “hacking,” but criminalizes an entire host of online actions as well. As Professor Orin Kerr noted in his testimony to Congress, the CFAA prohibits innocuous conduct such as lying on your online dating profile, since most dating sites require truthful personal information as a part of their terms of service. [5]

Of course, it is hard to imagine the DOJ prosecuting a lonely bachelor for shedding a few pounds on his profile in an attempt to appear more attractive. Nevertheless, the seemingly absurd scope of the CFAA presents a more salient issue, which is that it gives federal prosecutors broad discretion to pursue draconian prison sentences against individuals. Perhaps the most notorious example is the prosecution of Aaron Swartz, a twenty-four year old Harvard researcher for the downloading of millions of academic articles from a MIT server. [6] After the DOJ refused to accept multiple plea bargains and pushed for a 35 year prison sentence, Mr. Swartz hanged himself in his New York apartment. [7]

In the wake of Mr. Swartz’s suicide, there have been a number of calls to reform the CFAA, including a bill that would change the meaning of “exceeds authorized access” under the CFAA. [8] It is unclear if this bill will garner enough support to become law. Nonetheless, as “hacktivist” groups such as Anonymous garner media attention, the CFAA will likely remain an important tool for Federal law enforcement, and the statute’s breadth will likely be a continued source of contention in Internet regulation.

[1] Aaron Katersky, Anonymous Stratfor Hacker Given 10 Years, Nov. 15, 2013.
[2] Hanni Fakhoury & Trevor Timm, Jeremy Hammond Case Demonstrates the Draconian Nature of the CFAA, Jun. 4, 2013.
[3] 18 U.S.C. §1030.
[4] Testimony of Orin S. Kerr, United States House of Representatives, Nov. 15, 2011.
[5] Paul Larkin, The Heritage Foundation, Reasonably Construing the Computer Fraud and Abuse Act to Avoid Overcriminalization
[6] John Schwartz, Open-Access Advocate Is Arrested for Huge Download, NY Times, Jul. 19, 2011.
[7] John Schwartz, Internet Activist, a Creator of RSS, Is Dead at 26, Apparently a Suicide, Jan. 12, 2013.
[8] M. M. Jaycox, K. Opsahl, T. Timm, Aaron’s Law Introduced: Now Is the Time to Reform the CFAA, Jun. 20, 2013.

Written by

December 5th, 2013 at 11:29 am

Gawronski v. Amazon: Kindle Class-Action Lawsuit

one comment

Amazon KindleWhen Amazon controversially deleted copies of George Orwell’s Animal Farm and 1984 from its Kindles back in July, the ironic parallels between fact and fiction sent the Internet collectively scrambling to brush up on its literary quips. Not a bad thing, at least from the view of librarians and English teachers. And at the end of it all, the Internet seemed to have won out: Amazon vowed to never carry out such a recall again.

But life doesn’t tie up as neatly as a novel. Individual acts of rebellion inevitably failed against Orwellian fictional dictatorships, but Orwell’s worlds also lacked the class-action lawsuit. One such suit has already been filed against Amazon, alleging Amazon’s actions violated its terms of service and state unfair competition laws, and constituted fraud under 18 U.S.C. § 1030 (the Computer Fraud and Abuse Act), trespass to chattels, breach of contract. Putting aside its rather humorous facts–the main class representative, a Michigan high school student, alleges that the deletion of his electronic copy of 1984 rendered useless his class notes, as they were linked directly to the ebook—this lawsuit has the potential to reach far beyond ensuring that Amazon never repeats such a mass deletion.

Most of the initial complaints against Amazon’s deletion focused on how Amazon had violated consumer expectations regarding what happens to a book after it’s been sold. Without the cooperation of the buyer, publishers normally cannot recover physical copies of books once sold, no matter what the reason for the recall. Amazon’s deletion, however, highlighted the fact that this practical limitation doesn’t exist with an ebook. Some commentators have pointed out that this technological advance allows for stronger enforcement of copyright protections. Amazon did not have the legal right to sell those ebook copies of 1984 and Animal Farm, so they were committing copyright infringement by offering them to Kindle users. Since the sales were illegal, first-sale doctrine would not have protected their unwitting customers from copyright infringement charges. Deletion is different from what would be done if the book copy had been made of paper, but perhaps changing technology should also change expectations regarding methods of law enforcement.

On the other hand, others including the parties in the class-action suit assert that Amazon violated its own terms of use with the deletion. Amazon has taken pains to emphasize that its Kindle is just updating the traditional book for the Computer Age, not changing the mode of how books work. Ebook buyers were told that just as with a physical book, once they bought an ebook, it was theirs for life. If that isn’t true and Amazon is going to take advantage of an ebook’s unique capabilities, then it should have made that clear to its customers.

And as if copyright and contractual issues weren’t enough, the lawsuit’s complaint also expressly asks the court to declare that Amazon has no legal right to delete ebooks once they’re sold, since Amazon couldn’t very well order people to give up physical books they’ve purchased. More than a kind of equality declaration for ebooks and physical books, such a ruling could potentially hamper any content provider’s ability to distribute material online without incurring liability if that content is later removed. It would have grave implications for the efforts of companies such as Google to encourage cloud computing and other technologies where data is stored on the servers, and under the control, of third-parties who then allow users to access that data remotely.

Until now, the book industry has been spared the contentious litigation that technological advances have brought to the movie and recording industries, largely because ebooks have not done well as a commercial product. But just as ebooks seem to be finally taking off, so have the legal questions surrounding them. The Kindle is no longer a mere geek trophy gadget, but has come of age as a focal point of legal, technological and social debate.

Written by

August 8th, 2009 at 7:00 pm

Palin Email Hack – Time to Update and Expand the Computer Fraud and Abuse Act?

one comment

by: Sherri Nazarian, Associate Editor, MTTLR

Editor: This post is part of a short MTTLR Blog series on the Computer Fraud and Abuse ActPart one argues that the CFAA should not be expanded to address the problem of online bullying. Part two (this post) looks to the Sarah Palin email hacking case to call for a review and possible expansion of the CFAA’s provisions.

padlock and latch
Image Security by David Goehring. Used under a Creative Commons BY 2.0 license.

It has been over two decades since David Lightman, a scrawny Seattle high school boy, stole our hearts when he almost started World War III by hacking into the North American Aerospace Defense computer system in the 1983 movie Wargames. David Kernell, a modern day hacker, who allegedly broke into Sarah Palin’s personal Yahoo e-mail account certainly generated the same amount of attention, but he may not have elicited the same emotions.

The hacker impersonated Palin and used three pieces of readily available personal information in order to change the account’s password and get access to her e-mails. Palin’s e-mail contents, including some personal family pictures, went online overnight and in the process raised not only questions about internet security and personal privacy on the web, but also about whether Palin was deliberately attempting to hide public records by using a personal e-mail account to conduct state business.

This high-profile incident suggests it may be time to revisit the available legal tools to prosecute cyber crimes. The primary statute used to incriminate hackers is the Computer Fraud and Abuse Act (CFAA)—originally enacted in 1984. The statute makes it illegal for a person to “intentionally access[] a computer without authorization or exceed[] authorized access and thereby obtain[] … information from any protected computer ….” However, the statute does not make it easy for a prosecutor to charge Palin’s hacker with a felony, unless other conditions are met. Former Justice Department computer crime Prosecutor Mark Rasch anticipates that the hacker could be charged with as little as a misdemeanor and face “little, if any, jail time.” The statute calls for a felony charge if, inter alia, the value of the information the hacker obtains exceeds $5000, or if the hacking was “committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.” It is not clear that Palin’s hacker falls under any of these categories.

According to computer experts, Palin’s hacker used a domestic proxy server in order to transmit the images to websites, which led to his arrest. One of the bigger problems stemming from advances in internet technology is the difficulty in tracking down hackers who leave little or no trace behind. One such dilemma results when a hacker cleverly uses a proxy server located in a foreign country, where potentially the United States has no jurisdiction (or means via a treaty) to subpoena the log entry. The need for more domestic and international protection remains a salient need of our society.

Even though Palin’s e-mail hacking incident is no inauguration of World War III, it is a wake up call to officials—who hopefully have checked their e-mail security by now—and legislators in charge of amending the laws. Today’s fast-paced technological society and the borderless world of the internet make us aware of the need for more protection against cyber criminals through broader statutes with provisions that cover not just hackers, but facilitators as well. The possibility of cyber crimes pushing countries into ratifying treaties like the Convention on Cybercrime, is, to say the least, a rational expectation.

Written by

November 5th, 2008 at 8:30 am

Posted in Uncategorized

Tagged with , ,

Taking Down a Bully, But Taking the Computer Fraud and Abuse Act Too Far?

leave a comment

by: Teresa Lin, Associate Editor, MTTLR

Editor: This post is part of a short MTTLR Blog series on the Computer Fraud and Abuse ActPart one (this post) argues that the CFAA should not be expanded to address the problem of online bullying. Part two looks to the Sarah Palin email hacking case to call for a review and possible expansion of the CFAA’s provisions.
Image Instant Messaging by Eric Bartholomew. Used under a Creative Commons BY 2.0 license.

Bullies. They’re an unattractive staple of childhood. Most of us have either been one, encountered one, or observed one in action. But, alas, gone are the good old days of schoolyard bullies, where our homes were still places of refuge from schoolyard threats and teases. A new era of bullying has arrived – cyberbullying.

If you’re reading this blog, then you might have already heard of the MySpace suicide case often used in awareness campaigns against cyberbullying. For those that haven’t, here’s a quick recap:

In November of 2007, Lori Drew was accused of helping her minor daughter create a fake MySpace account to lure, ridicule, and taunt her daughter’s ex-friend and neighbor, Megan Meier. Megan, at age 13, committed suicide as a result of the online bullying. While Missouri prosecutors were unable to find anything in the books to charge Lori Drew for criminal wrongdoing relating to Megan’s death, federal prosecutors in Los Angeles did not. This May, Drew was indicted by a grand jury in Los Angeles for conspiracy to commit a federal crime under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030. While the trial was scheduled to begin on October 7th, it has not proceeded, and Drew’s defense attorney believes that the trial might be pushed further into December.

For a more thorough account of the story, see this New Yorker article, or follow the case on the Wall Street Journal Law Blog.

The question now is whether District Court Judge Wu should dismiss Drew’s indictments under the CFAA. And if so, what then for the morally reprehensible behavior of Lori Drew, an adult who instigated and heightened a game of child’s play that lead to a young girl’s suicide?

Let’s begin by examining the textual problems with charging Drew under § 1030(a)(2)(c). This subsection of the statute makes it a federal crime for anyone to intentionally access a computer without, or in excess of, authorization to obtain information from a protected computer, if the conduct involved an interstate or foreign communication. The Congressional intent of this statute was not to give federal jurisdiction over all circumstances in which someone unlawfully obtains information via a computer or the internet. Rather, subsection 1030(a)(2)(C) was amended in 1996 with the intent to use the CFAA to “protect against the interstate or foreign theft of information by computer.” The purpose of this subsection is clear: CFAA is meant to punish those who ‘steal’ information (whether tangible or intangible) through computers. What interstate theft was involved in the MySpace suicide? Even if we’re wildly assuming that juicy teen gossip can be considered an intangible good that the Drews ‘stole’ from Megan, where is the interstate connection? All the parties involved in this case resided in Missouri during the entire episode. The only interstate medium remotely applicable is MySpace. MySpace and its servers are in Beverly Hills, California, a subsidiary of Fox Interactive Media. But the communications exchanged were still between people within Missouri.

Furthermore, the statute has been historically applied to mostly internet hacking cases; if the prosecution is allowed to continue under CFAA, it’s a daunting expansion of the federal government’s jurisdiction into unchartered and unintended territories. When Drew and her daughter registered the MySpace account under a fake identity, Drew agreed to the website’s terms of service (TOS). (MySpace updated their TOS in February 2008; this linked version may be different from the one Drew and her daughter agreed to in 2007). The TOS required Drew to register the account based on truthful and accurate information, to refrain from promoting false or misleading information, and to refrain from using MySpace to harass, abuse, or harm other people. The prosecution claimed that Drew and her daughter conspired to violate MySpace’s TOS when they set up their hoax account based on a fraudulent identify to use it for tortious actions against Megan Meier. Thus, according to the indictment, they violated provisions of the CFAA by intentionally accessing a computer without and in excess of authorization to obtain information from Megan over the internet.

Lawmakers and lawyers alike may feel their hair rise to hear the CFAA applied so broadly. What would it mean for users for the federal government to be able to broadly apply the CFAA to all users who register accounts under false information? For security purposes, I purposely register all my accounts under different date of births so that my personal information is not readily available on the web. Of course, the government won’t prosecute everyone that commits fraudulent registrations, right? But if not, how does the government decide who should be prosecuted, and will they be allowed to exercise such discriminatory selection? Allowing the prosecution to continue under the CFAA statute clearly raises issues related to social networking generally. It might not hurt to start reviewing some of the TOS you may have agreed to already, such as for Facebook, Twitter, Habbo, Friendster, or Orkut.

Justice Oliver Wendell Holmes said it best in his dissent in Northern Securities Co. v. United States: hard cases make bad law. What happened to Megan was a hard case – a life prematurely thrown away due to an immature prank by an adult. This awful tragedy draws on our innate social emotions to want to connect a law that can severely punish Lori Drew for her actions. But, as loud as society is screaming for justice, expanding the CFAA to such an extent is clearly bad law.

For those unsatisfied with the conclusions drawn above, here’s a tidbit to console if Drew avoids legal prosecution. While the court battles the legal dilemma of how to prosecute Lori Drew, if at all, the blogging community has been alive with their own sort of virtual vigilante justice. In mid November of 2007, when the story exploded over national television, video clips from CNN and Fox News, and even the original Suburban Journals article that first ran the story, all refrained from revealing the identify of Lori Drew to the public out of concern for her minor daughter. Repulsed by Drew’s action, the internet community was not so kind. By November 17, 2007, bloggers broadcast and posted Lori Drew’s name, police report, personal address, business information, phone number, and her husband’s employment information. Drew, who owned an advertising business, was rumored to have closed down her business and relocated due to her notoriety. Drew is sure to be haunted by her actions for a very long time. But is this form of virtual vigilante justice satisfying? Is it commendable or condemnable? The lines between the vigilante response and the original abuses grow increasingly unclear.

Though virtual vigilantism is a debatable sort of justice, the community at large has been taking a more definite form of justice – legislation. Numbers of states have either proposed or already enacted legislation that prohibits cyberbullying. See examples from New York, California, Illinois, and Missouri. Congress has also gotten involved, drafting a bill to make cyberbullying a federal crime, also known as the Megan Meier Cyberbullying Prevention Act.

Written by

November 4th, 2008 at 11:51 am

Posted in Uncategorized

Tagged with ,